[jira] [Commented] (HADOOP-10505) Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.

Tue, 15 Apr 2014 09:57:12 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13969732#comment-13969732
 ] 

jay vyas commented on HADOOP-10505:
-----------------------------------

Upon further investigation, you cannot "hack" the yarn-site.xml file.

1) If you thinly a non-simple field for the value of 
hadoop.securiy.authentication (i.e. "proxy" , "kerberos", "kerberos_ssl",...) 
then you will get a "security method is not enabled" exception. 

2) If you try the other hack of a "dummy" security method (i.e. 
hadoop.security.authentication = "foo"), you get the (expected) exception 
"Invalid attribute value of hadoop.security.authentication" error.

So I dont see a good workaround, unless maybe there is a simple way to 
implement a dummy implementation of security .

> Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-10505
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10505
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: jay vyas
>
> As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser 
> replaces the user who submits a job if security is disabled: 
> {noformat}
>  return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
> {noformat}
> However, the only way to enable security, is to NOT use SIMPLE authentication 
> mode:
> {noformat}
>   public static boolean isSecurityEnabled() {
>     return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
>   }
> {noformat}
>  
> Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser 
> for submission of LinuxExecutorContainer.
> This results in a confusing issue, wherein we submit a job as "sally" and 
> then get an exception that user "nobody" is not whitelisted and has UID < 
> MAX_ID.
> My proposed solution is that we should be able to leverage 
> LinuxContainerExector regardless of hadoop's view of the security settings on 
> the cluster, i.e. decouple LinuxContainerExecutor logic from the 
> "isSecurityEnabled" return value.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to